NEUTRON: A Graph-based Pipeline for Zero-trust Network Architectures

Abstract

The Zero-Trust Architecture (ZTA) security paradigm deploys comprehensive user- and resource-aware defenses both at the network's perimeter and inside the network. However, deploying a ZTA approach requires specifying and managing a large, network spanning set of fine-grained security policies, which will increase administrators' workloads and increase the chance of errors. This paper presents the design and prototype implementation of the NEUTRON policy framework, which provides an automated end-to-end policy pipeline, specification, management, testing, and deployment. NEUTRON uses a flexible, graph-based approach to specify and share complex, fine-grained network security policies. NEUTRON provides a software structure so that policy patterns may be easily shared between organizations, reducing the burden of creating the policy. Administrators assemble the software for their site, and the NEUTRON policy generator creates the entire network-wide security policy. Treating the security policy like software also allows new approaches to policy verification and policy change impact analysis. Thus we designed the Security Policy Regression Tool (SPRT), which uses our novelRuleset Aggregation Algorithm to perform scalable verification of the network-wide security policy across the network model. Moreover, our graph-based framework allows for efficient computation and visualization of the policy change impact.